Ernst & Young – Speaker Introductions
► Stephen McIntyre, Risk Advisory Services
► Hassan Qureshi, IT Risk Advisory Services
► Marco Perron, Risk Advisory Services
Agenda for the day
► Session 1 (9:00 – 10:15) – Internal Controls over
Financial Reporting (ICFR)
► Session 2 (1:30 - 2:30) – Panel discussion
► Session 3 (3:00 – 4:00) – Internal Controls in an
IT environment and reporting to audit
committee’s.
Session #1: Agenda
► How did we get here?
► The Policy on Internal Control (PIC)
► Internal Control over Financial Reporting (ICFR)
► The Top Down, risk based approach
► Entity Level Controls
► IT General Controls
► Transaction Level Controls
► What lessons can we learn from other internal control
projects?
Internal control certification - How did we get here?Overview
► The requirement for management to provide certification
over the effectiveness of internal controls is not new
► Certifications exist in many formats, and requirements
can’t be generalized from one standard to another
► Internal controls are prevalent in more than one area of
the organization (i.e. IT, operations, finance, HR).
► A continuing focus on accountability and assurance to
stakeholders
Internal control certification - How did we get here?Industry Models - US
► The first significant focus on internal control
certification related to financial reporting was the
Sarbanes Oxley Act of 2002 (SOX 404).
► SOX represented the US government’s
response to a market in crisis and was put in
place to provide investors with additional
assurances over an entities health.
► SOX required management and the company’s
auditor to attest to the certification over internal
control effectiveness.
Internal control certification - How did we get here?Industry Models - Canada
► Following the lead of the US markets, publically reportable
enterprises reporting on Canadian listings were soon required to
comply with a SOX type equivalent standard.
► National Instrument 52-109, similarly to SOX 404, required
management (CEO/CFO) to attest to the effectiveness of internal
controls over financial reporting.
► Unlike SOX, the Canadian standard did not require the auditor to
provide an opinion over control effectiveness.
► This approach allowed for a more pragmatic assessment of internal
control effectiveness and placed greater flexibility in the hands of
management when concluding on control effectiveness.
Internal control certification - How did we get here?Other models - UK
► Publically listed companies in the UK are required to follow the
“Turnbull Guidance on Internal Control” which sets out the best
practices for internal controls.
► The directors of the company are required to complete annual reviews
of the group’s system of internal controls and report the results to the
shareholders.
► The review should cover financial, operational, and compliance/risk
controls.
Internal control certification - How did we get here?Government Models - UK
► Industry hasn’t been the only sector with internal control reporting
responsibilities.
► In July of 2005, Her Majesty’s Treasury in the UK published
“Corporate governance in central government departments: Code of
good practice”.
► “The board should ensure that effective arrangements are in place to
provide assurance on risk management, governance and internal
controls. In this respect the board should be independently advised
by: (1) an audit committee chaired by an independent non-executive
member; and (2) an internal audit service operating in accordance
with Government Internal Audit Standards.”
Internal control certification - How did we get here?Government Models - UK
► The Financial Reporting Manual provides additional disclosure
requirements for government departments as an Annex to the
financial statements.
► Scope of responsibility of the accounting officer
► The purpose of the system of internal controls
► Capacity to handle risk
► The risk and control framework
► Review of effectiveness
Policy on Internal Control (PIC)Who is responsible?
► Primary responsibility for reporting of compliance under PIC is
allocated to the Deputy Head of the Department.
Ensuring the establishment, maintenance, monitoring and review of
the departmental system of internal control to mitigate risks in the
following broad categories:
► The effectiveness and efficiency of programs, operations and
resource management, including safeguarding of assets;
► The reliability of financial reporting; and
► Compliance with legislation, regulations, policies and delegated
authorities.
Policy on Internal Control (PIC)What is it?
PIC defines the objectives and expected results as follows:
► Risks relating to the stewardship of public resources are adequately
managed through effective internal controls, including internal
controls over financial reporting.
► An effective risk-based system of internal control is in place in
departments and is properly maintained, monitored and reviewed,
with timely corrective measures taken when issues are identified.
► Risks relating to the stewardship of public resources are adequately
managed through effective internal controls, including internal
controls over financial reporting.
Policy on Internal Control (PIC)What is it?
► The Policy on Internal Control is not a
“make work project”.
► Underlying assumption that key controls
already exist in the organization to mitigate
key risks.
► The annual assessment is the evidence of this effective operation of
key controls and an opportunity to share insight to the remediation or
change strategy for those processes/controls that are not operating as
expected.
Policy on Internal Control (PIC)When?
► The Policy on Internal Control took effect on April 1, 2009 and
compliance with the reporting requirements is being phased in over a
3 year period
► The policy applies to all departments, as defined in section 2 of the
FAA.
Policy on Internal Control (PIC)Why?
► Parliament and Canadians expect the federal government to be well
managed with the prudent stewardship of public funds, the
safeguarding of public assets, and the effective, efficient and
economical use of public resources. They also expect reliable
reporting that provides transparency and accountability for how
government spends public funds to achieve results for Canadians.
► In 2004, the OCG stated that all departments and agencies would be
audited within 5 years. This requirement was not passed into
legislation.
► This was later revised in 2010 with the release of the Policy on
Financial Resource Management, Information and Reporting, which
requires departments take measures to be able to sustain a controls
based audit.
Policy on Internal Control (PIC)How?
► Compliance with the policy will be disclosed within an organizations
public reporting.
► The Deputy Head and the CFO will sign an annual departmental
Statement of Management Responsibility Including Internal Control
Over Financial Reporting, which will preface the departmental
financial statements.
► The results of a department’s annual assessment and action plan are
to be summarized in an annex to the Statement of Management
Responsibility Including Internal Control over Financial Reporting.
Internal Controls Over Financial Reporting (ICFR)
► Internal control is term that carries a broad definition.
► Internal controls over financial reporting are a sub-set of the broader
suite of internal controls that exist within an organization and
specifically focus on the activities which prevent and/or detect errors
in financial reporting.
► Errors are the result of risks, which can be identified and mitigated by
controls.
► Effective internal controls are required to appropriately mitigate and
reduce risks, the underlying requirement of the Policy on Information
Resource Management, Information and Reporting.
Internal Controls Over Financial Reporting (ICFR)
► ICFR can provide the reader of financial statements with:
► Assurance that financial statements fairly reflect all financial
transactions;
► Assurance that all transactions are recorded in accordance with
applicable policies, directives and standards;
► Assurance that transactions are carried out in accordance with
delegated authorities;
► Assurance that financial resources are safeguarded against
material loss due to waste, abuse, mismanagement, errors, fraud,
omissions and other irregularities;
Internal Controls Over Financial Reporting (ICFR)
► In order to assess internal controls over financial reporting, a
framework is required.
► The Committee of Sponsoring Organizations (COSO) framework has
been the most consistently applied internal control framework
worldwide and is comprised of 5 inter-related components:
► Control Environment
► Risk Assessment
► Control Activities
► Information and Communication
► Monitoring
Internal Controls Over Financial Reporting (ICFR)
► There are two key elements to control effectiveness, control design
and control operation.
► Design effectiveness: effective control design is a reflection of the
right person, using the right information to make the right decision, to
mitigate identified risks.
► Operational effectiveness: effective operation is the consistent
application of an effectively designed control, without exception
Top down, risk-based approach
► The overall objective of an effective system of internal controls over
financial reporting is to provide an effective and efficient means of
auditing the financial results.
► Equally important is the efficiency and effectiveness of the internal
control and risk identification strategy.
► One of the most common pitfalls is the over identification of risks
related to the organization’s financial reporting.
► Using a top down, risk-based approach will address the requirements
of ICFR while maintaining efficiency throughout the organization.
Top down, risk-based approachEntity Level Controls
► Using the COSO framework as a guide, the control environment plays
a significant role in the overall internal control system.
► Entity level controls (ELC), provide the “tone at the top” of the
organization, and as a result directly or in-directly impact all
underlying controls.
► Effective ELC’s can provide excellent leverage to reduce testing at
lower levels. Ineffective ELC’s can spell disaster for all underlying
controls.
► ELC’s exist in two forms, direct and indirect.
Top down, risk-based approachEntity Level Controls
► Direct entity level controls monitor specific business and financial
risks, and operate at the level of precision necessary to detect
breakdowns in the application of an organization’s policies and
procedures.
Example: CFO and Director of Finance review the quarterly and annual financial
statement and related disclosures.
► Indirect entity level controls help define the control consciousness of
an organization without directly mitigating any one specific financial or
operational risk.
Example: An organizational code of conduct distributed via the intranet
Top down, risk-based approachEntity Level Controls
► Benefits from leveraging effective ELC’s:
► Reduce the extent of reliance on transaction level controls
► Increase the effectiveness of internal controls through leveraging
senior and experienced personnel
► Better define and communicate the expectations of management
across the organization (i.e., tone at the top)
► Reduce redundancy in controls performed across the organization
at different levels
Top down, risk-based approachDesign of transaction level controls
► The starting point for assessing the effectiveness of the
transaction level controls is defining what business
processes are in scope.
► In order to assess the ICFR, you need to work backwards
from the end objective, which in this case is the financial
statements.
► Step 1 – identify the significant accounts
► Step 2 – associate the significant business processes
► Step 3 – perform a detailed risk assessment
Top down, risk-based approachDesign of transaction level controls – Sig. Accounts
► Determination of what accounts are deemed to be “significant” is a
matter of judgement.
► Guidance exists from the OCG to assist organizations in
determination of significant accounts and follows common practice
throughout private and public sector.
► Assess the materiality of the underlying account results, and assess
the inherent risks related to each account
► A combined risk based approach uses the results of these two
approaches to determine significance of each account presented on
the financial statements.
Top down, risk-based approachDesign of transaction level controls – Sig. Accounts
► Each financial statement account is comprised of financial statement
assertions:
► Existence / Occurrence
► Completeness
► Valuation
► Presentation & Disclosure
► Rights & Obligations
► From a risk based perspective, each assertion by significant account
must be considered to prioritize the extent of identified risks.
► Example: Generally speaking, the risk of completeness is greater for
liability based accounts than asset accounts.
Top down, risk-based approachDesign of transaction level controls – Sig. Processes
► The value associated to each significant account is derived by a
specific set of business process(es). Don’t forget disclosure!
► A significant process can be associated to one specific account or
several accounts across the financial statements.
► In order to effectively and efficiently perform the risk assessment, you
must consider each business process and related transaction
processing from initiation to recording.
► Example: Procurement of a good or service is most commonly
initiated through requisition completed by the end user. If during the
scoping exercise an organization was focused purely on the
traditional “accounting” functions, key risks could be over looked.
Top down, risk-based approachDesign of transaction level controls - Risks
► The key objective in risk identification is to focus on key risks related
to financial reporting (and disclosure).
► Without appropriate identification of the significant accounts, related
assertions and processes, the risk identification process can easily go
beyond the applicable scope of ICFR.
► Ask the question “What could go wrong” specific to the
account/assertion/process.
► Hint: A key risk, if not mitigated by a control (or suite of controls),
could cause a material error to the financial statements.
Top down, risk-based approachDesign of transaction level controls - Controls
► Focus on identifying the key controls related to the identified key risks.
► Each identified key risk must have at least one associated key control.
► Where one key control is associated to several key risks, and is the
only key control associated to those risks, the greater the risk that
control failure could result in a material error.
► Controls can be preventative or detective in nature. Ideally, a mix of
both should be identified.
Top down, risk-based approachOperational assessment of controls
► Once the key controls have been identified, a testing strategy
focusing on the nature, extent and timing must be developed.
► Understanding the objective of each control is critical to performing
operational testing efficiently.
► Key controls can be prioritized for assessment based on individual
risk assessments. These assessments would consider how long this
control has been in place, the person(s) responsible for performing
the control, history of errors in the control and the extent to which an
error would impact the associated risks.
Top down, risk-based approachOperational assessment of controls
► Methodologies on testing control operational effectiveness are
already established.
► The higher the frequency a control is performed, the greater the
population to be tested
► Rule of thumb: 10% of the population to a max of 25
► Establishing the expectations for evidence is critical to the overall
assessment.
► Consistency in the operation of a well designed control is the overall
objective
Lessons Learned
► Tone at the top – Lack of executive sponsorship will not only lead to a failure of the
PIC project, but will cause significant repercussions throughout the internal control
evaluation process as the effective operation of entity level controls is critical for
assessment of transaction and IT controls.
► Leverage where appropriate – Although reliance on entity level controls can reduce
the overall extent of work through reliance on lower level controls, the sensitivity of
these “higher level” entity controls may not address the specifically identified risks at
the transaction level.
► Evidence the Operation of ELC’s – Entity level controls, by their nature, exist at
higher levels of the organization. As a result, documentation or evidence of their
operation is often inconsistent in form and frequency. Departments and agencies
should ensure that those controls identified as key to financial reporting are consistently
performed and documented to allow for substantive evaluation when required.
Lessons Learned
► Identify key risks and controls – There’s no prize for having the greatest number of
risks or controls. The more specific and strategic you can be the more efficiently and
effectively you can identify, evaluate and maintain the control system.
► Start early– Private industry implemented SOX 404 in 2004 after several delays
granted by the regulatory bodies. Regardless of the extended time lines it was a sprint
to the finish for most.
► Don’t jump in without a plan– In order to keep PIC from becoming a “make work”
project, organizations need to create a plan that identifies the work to be completed,
the time available to perform the required steps and resource allocation.
► It’s not just a “finance” thing– Although the focus of ICFR is on financial reporting,
actions the organization can directly and indirectly impact the risks and related controls.
Ownership of processes, and ability to identify when something has changed will be the
key to future sustainability of the process.
Top Related